Last Comment Bug 66606 - Would like Signtool to use OCSP and/or check CRLs during verification
: Would like Signtool to use OCSP and/or check CRLs during verification
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: unspecified
: Sun Solaris
P2 enhancement (vote)
: 3.6
Assigned To: Kirk Erickson
: Bishakha Banerjee
Depends on:
  Show dependency treegraph
Reported: 2001-01-25 18:00 PST by Arshad Noor
Modified: 2002-06-13 10:06 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Proposed patch (3.31 KB, patch)
2002-06-10 16:02 PDT, Kirk Erickson
julien.pierre: review+
Details | Diff | Splinter Review

Description User image Arshad Noor 2001-01-25 18:00:58 PST
We would like to have signtool use the Online Certificate Status Protocol
(OCSP) and CRL checking, when verifying signatures on a signed object.

If the certificate that corresponds to the signing key, has a CRL Distribution
Point in it, it should attempt to load the CRL defined in the CRLDP's URI and
check it for a revoked certificate.

If the certificate that corresponds to the signing key, has an Authority Info
Access extension in it, signtool should attempt to use the OCSP protocol to
make a request to the URI in the AIA extension to validate the certificate.

These two features will make signtool more robust and reliable, since it will
allow customers to verify, in "real-time" that the certificate that signed
the objects has not been revoked.

Note: If you'd like, Sun can help by providing an entire testing infrastructure
for these enhancements.  SunPKI ( has established an
infrastructure that publishes CRLs, and supports an OCSP server that is
accessible over the Internet.  Thanks.
Comment 1 User image Keyser Sose 2001-01-28 14:39:34 PST
Marking NEW.
Comment 2 User image Ian McGreer 2001-01-29 08:27:09 PST
marking signtool bugs as future until 3.3 plan is ready.
Comment 3 User image Wan-Teh Chang 2001-02-27 15:54:45 PST
Set Target Milestone to NSS 3.3.  Assigned the RFE to
Bob for evaluation.
Comment 4 User image Robert Relyea 2001-11-28 17:15:14 PST
Wan-Teh, This should be relatively easy (assuming CRL's and OCSP are working;),
but it's not a critical function for NSS 3.4, so I'm likely to prioritize this
low. (This would be a good candidate for someone else to pick up if we want it
in 3.4).

NOTE: half of this should already be done. CRL's should be working with
Signtools. OCSP only requires an option to turn it on.

Comment 5 User image Wan-Teh Chang 2001-11-29 17:29:43 PST
Assigned the bug to Kirk.

I don't think this needs to be done in 3.4.  It would
be a good idea to talk to the bug reporter about the
time frame.
Comment 6 User image Wan-Teh Chang 2002-04-25 16:34:48 PDT
Changed the QA contact to Bishakha.
Comment 7 User image Wan-Teh Chang 2002-05-08 17:07:04 PDT
Set target milestone to NSS 3.5.
Comment 8 User image Kirk Erickson 2002-05-23 16:17:59 PDT
Reviewed this bug with Julien..  We need to make signtool call
CERT_EnableOCSPChecking (handle);

Using a cert with the OCSP extension we should then hit:
ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)

Stumbled across this typo:
kirke@iws-perf[51] rgrep OSCP
./mozilla/security/nss/cmd/certutil/certutil.c:1497:    fprintf(stdout, "%-25s 5
- OSCP Responder\n", "");

Should be OCSP (Online Certificate Status Protocol).
Emailed Julien, thinking he might still be touching certutil.c.

Comment 9 User image Kirk Erickson 2002-06-10 16:02:04 PDT
Created attachment 87149 [details] [diff] [review]
Proposed patch

Adds -O argument to signtool command line, which enables
OCSP checking by calling CERT_EnableOCSPChecking().
Comment 10 User image Kirk Erickson 2002-06-10 16:08:06 PDT

I've added you to the cc-list for this bug because its
your routine that needs calling.
Could you review the patch I've attached?

Comment 11 User image Julien Pierre 2002-06-10 16:27:28 PDT
Comment on attachment 87149 [details] [diff] [review]
Proposed patch

looks good
Comment 12 User image Kirk Erickson 2002-06-11 09:41:39 PDT
Checked in patch to add -O (enable OCSP checking),
and closed.
Comment 13 User image Wan-Teh Chang 2002-06-11 13:32:16 PDT
Comment on attachment 87149 [details] [diff] [review]
Proposed patch


Thanks for coming up with the patch.  Some comments.

1. In this block of code, the indentation of the body of
the inner if statement is wrong:

>+	if (enableOCSP) {
>+		SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
>+		if (rv != SECSuccess) {
>+	        PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
>+	        errorCount++;
>+	        retval = -1;
>+		}
> 	}

2. In the original description of this RFE, the reporter asks
that OCSP be used if the certificate that corresponds to the
signing key has an Authority Info Access extension in it.  In
your patch, the use of OCSP is controlled by the -O option.
This is not exactly what the original RFE asks for.

3. Your patch does not check CRLs so we might want to edit
the bug's summary to reflect what actually got implemented.
Comment 14 User image Julien Pierre 2002-06-11 15:10:10 PDT

I would say that it is preferable to keep OCSP an option, because some people
may be running signtool offline, or in a non-Internet network where they won't
be able to reach OCSP responders for checking. So it should not be enabled by

As far as CRLs, they should already be checked automatically if they are
installed in the cert DB, but the CRL distribution point is not handled yet.

See bugs
Comment 15 User image Wan-Teh Chang 2002-06-11 15:37:12 PDT
Please ignore my comments 2 and 3 in comment #13.  Kirk and
Julien have both responded to my questions.  Thanks.

Kirk, you just need to fix the indentation of that if statement.
Comment 16 User image Kirk Erickson 2002-06-13 10:06:38 PDT
I fixed the indentation shortly after seeing comment #15.

Note You need to log in before you can comment on or make changes to this bug.